Yes, the Privacy Rule permits this practice
as long as the clinic takes reasonable and appropriate measures to protect
the patient’s privacy. The physician or other health care professionals use
the patient charts for treatment purposes. Incidental disclosures to others
that might occur as a result of the charts being left in the box are
permitted, if the minimum necessary and reasonable safeguards requirements
are met. See 45 CFR 164.502(a)(1)(iii). As the purpose of leaving the chart
in the box is to provide the physician with access to the medical
information relevant to the examination, the minimum necessary requirement
would be satisfied. Examples of measures that could be reasonable and
appropriate to safeguard the patient chart in such a situation would be
limiting access to certain areas, ensuring that the area is supervised,
escorting non-employees in the area, or placing the patient chart in the box
with the front cover facing the wall rather than having protected health
information about the patient visible to anyone who walks by. Each covered
entity must evaluate what measures are reasonable and appropriate in its
environment. Covered entities may tailor measures to their particular
circumstances.

12. Is an authorization
needed to send a medical record to another provider who is treating the
patient?

No. The HIPAA Privacy Rule permits a health
care provider to disclose protected health information about an individual,
without the individual’s authorization, to another health care provider for
that provider’s treatment of the individual.

No, the listed types of policies are not
health plans. The HIPAA Administrative Simplification regulations
specifically exclude from the definition of a “health plan” any policy,
plan, or program to the extent that it provides, or pays for the cost of,
excepted benefits, which are listed in section 2791(c)(1) of the Public
Health Service Act, 42 U.S.C. 300gg-91(c)(1). See 45 CFR 160.103. As
described in the statute, excepted benefits are one or more (or any
combination thereof) of the following policies, plans or programs:

Coverage only for accident, or disability income insurance, or any
combination thereof.

Coverage issued as a supplement to liability insurance.

Liability insurance, including general liability insurance and automobile
liability insurance.

Workers’ compensation or similar insurance.

Automobile medical payment insurance.

Credit-only insurance.

Coverage for on-site medical clinics

Other similar insurance coverage, specified in regulations, under which
benefits for medical care are secondary or incidental to other insurance
benefits.

14. Under what
conditions may a health care provider use, disclose, or request an entire
medical record?

No. The Privacy Rule does not prohibit the
use, disclosure, or request of an entire medical record; and a covered
entity may use, disclose, or request an entire medical record without a
case-by-case justification, if the covered entity has documented in its
policies and procedures that the entire medical record is the amount
reasonably necessary for certain identified purposes. For uses, the policies
and procedures would identify those persons or classes of person in the
workforce that need to see the entire medical record and the conditions, if
any, that are appropriate for such access. Policies and procedures for
routine disclosures and requests and the criteria used for non-routine
disclosures and requests would identify the circumstances under which
disclosing or requesting the entire medical record is reasonably necessary
for particular purposes.

The Privacy Rule does not require that a justification be provided with
respect to each distinct medical record.

Finally, no justification is needed in those instances where the minimum
necessary standard does not apply, such as disclosures to or requests by a
health care provider for treatment purposes or disclosures to the individual
who is the subject of the protected health information.

15. May a health care
provider disclose parts of a medical record that were created by another
provider?

Yes, the Privacy Rule permits a provider who
is a covered entity to disclose a complete medical record including portions
that were created by another provider, assuming that the disclosure is for a
purpose permitted by the Privacy Rule, such as treatment.

16. Must I post my
entire notice, or may I just post a brief description of it?

Covered health care providers that maintain
an office or other physical site where they provide health care directly to
individuals are required to post their entire notice at the facility in a
clear and prominent location. The Privacy Rule, however, does not prescribe
any specific format for the posted notice, just that it include the same
information that is distributed directly to the individual. Covered health
care providers have discretion to design the posted notice in a manner that
works best for their facility, which may be to simply post a copy of the
pages of the notice that is provided directly to individuals.

17. When is a health
care provider a business associate of another health care provider?

The HIPAA Privacy Rule explicitly excludes
from the business associate requirements disclosures by a covered entity to
a health care provider for treatment purposes. See 45 CFR 164.502(e)(1).
Therefore, any covered health care provider (or other covered entity) may
share protected health information with a health care provider for treatment
purposes without a business associate contract. However, this exception does
not preclude one health care provider from establishing a business associate
relationship with another health care provider for some other purpose. For
example, a hospital may enlist the services of another health care provider
to assist in the hospital’s training of medical students. In this case, a
business associate contract would be required before the hospital could
allow the health care provider access to patient health information.

18. Is a business
associate contract needed for janitorial services and the like?

A business associate contract is not
required with persons or organizations whose functions, activities, or
services do not involve the use or disclosure of protected health
information, and where any access to protected health information by such
persons would be incidental, if at all. Generally, janitorial services that
clean the offices or facilities of a covered entity are not business
associates because the work they perform for covered entities does not
involve the use or disclosure of protected health information, and any
disclosure of protected health information to janitorial personnel that
occurs in the performance of their duties (such as may occur while emptying
trash cans) is limited in nature, occurs as a by-product of their janitorial
duties, and could not be reasonably prevented. Such disclosures are
incidental and permitted by the HIPAA Privacy Rule. See 45 CFR
164.502(a)(1).

If a service is hired to do work for a covered entity where disclosure of
protected health information is not limited in nature (such as routine
handling of records or shredding of documents containing protected health
information), it likely would be a business associate. However, when such
work is performed under the direct control of the covered entity (e.g., on
the covered entity’s premises), the Privacy Rule permits the covered entity
to treat the service as part of its workforce, and the covered entity need
not enter into a business associate contract with the service.

19. Must a health care
provider give a copy of its notice to everyone, or just those that ask for
it?

The HIPAA Privacy Rule requires a covered
health care provider with direct treatment relationships with individuals to
give the notice to every individual no later than the date of first service
delivery to the individual and to make a good faith effort to obtain the
individual’s written acknowledgment of receipt of the notice. If the
provider maintains an office or other physical site where she provides
health care directly to individuals, the provider must also post the notice
in the facility in a clear and prominent location where individuals are
likely to see it, as well as make the notice available to those who ask for
a copy.

20. Does the HIPAA
Privacy Rule require a business associate to create a notice of privacy
practices?

No. However, a covered entity must ensure
through its contract with the business associate that the business
associate's uses and disclosures of protected health information and other
actions are consistent with the covered entity's privacy policies, as stated
in covered entity's notice. Also, a covered entity may use a business
associate to distribute its notice to individuals.